diff --git a/wp-includes/functions.php b/wp-includes/functions.php index f44f3a7a13..1b4517ffbc 100644 --- a/wp-includes/functions.php +++ b/wp-includes/functions.php @@ -199,6 +199,7 @@ function get_option($setting) { if ( false === $value ) { if ( defined('WP_INSTALLING') ) $wpdb->hide_errors(); + // expected_slashed ($setting) $row = $wpdb->get_row("SELECT option_value FROM $wpdb->options WHERE option_name = '$setting' LIMIT 1"); if ( defined('WP_INSTALLING') ) $wpdb->show_errors(); @@ -315,9 +316,7 @@ function update_option($option_name, $newvalue) { wp_cache_set($option_name, $newvalue, 'options'); } - $newvalue = $wpdb->escape($newvalue); - $option_name = $wpdb->escape($option_name); - $wpdb->query("UPDATE $wpdb->options SET option_value = '$newvalue' WHERE option_name = '$option_name'"); + $wpdb->query($wpdb->prepare("UPDATE $wpdb->options SET option_value = %s WHERE option_name = %s", $newvalue, $option_name)); if ( $wpdb->rows_affected == 1 ) { do_action("update_option_{$option_name}", $oldvalue, $_newvalue); return true; @@ -357,9 +356,7 @@ function add_option($name, $value = '', $deprecated = '', $autoload = 'yes') { wp_cache_set('notoptions', $notoptions, 'options'); } - $name = $wpdb->escape($name); - $value = $wpdb->escape($value); - $wpdb->query("INSERT INTO $wpdb->options (option_name, option_value, autoload) VALUES ('$name', '$value', '$autoload')"); + $wpdb->query($wpdb->prepare("INSERT INTO $wpdb->options (option_name, option_value, autoload) VALUES (%s, %s, %s)", $name, $value, $autoload)); return; } @@ -370,8 +367,10 @@ function delete_option($name) { wp_protect_special_option($name); // Get the ID, if no ID then return + // expected_slashed ($name) $option = $wpdb->get_row("SELECT option_id, autoload FROM $wpdb->options WHERE option_name = '$name'"); if ( !$option->option_id ) return false; + // expected_slashed ($name) $wpdb->query("DELETE FROM $wpdb->options WHERE option_name = '$name'"); if ( 'yes' == $option->autoload ) { $alloptions = wp_load_alloptions(); @@ -514,15 +513,15 @@ function do_enclose( $content, $post_ID ) { endforeach; foreach ($post_links as $url) : - if ( $url != '' && !$wpdb->get_var("SELECT post_id FROM $wpdb->postmeta WHERE post_id = '$post_ID' AND meta_key = 'enclosure' AND meta_value LIKE ('$url%')") ) { + if ( $url != '' && !$wpdb->get_var($wpdb->prepare("SELECT post_id FROM $wpdb->postmeta WHERE post_id = %d AND meta_key = 'enclosure' AND meta_value LIKE (%s)", $post_ID, $url.'%')) ) { if ( $headers = wp_get_http_headers( $url) ) { $len = (int) $headers['content-length']; $type = $wpdb->escape( $headers['content-type'] ); $allowed_types = array( 'video', 'audio' ); if ( in_array( substr( $type, 0, strpos( $type, "/" ) ), $allowed_types ) ) { $meta_value = "$url\n$len\n$type\n"; - $wpdb->query( "INSERT INTO `$wpdb->postmeta` ( `post_id` , `meta_key` , `meta_value` ) - VALUES ( '$post_ID', 'enclosure' , '$meta_value')" ); + $wpdb->query($wpdb->prepare("INSERT INTO `$wpdb->postmeta` ( `post_id` , `meta_key` , `meta_value` ) + VALUES ( %d, 'enclosure' , %s)", $post_ID, $meta_value)); } } } diff --git a/wp-includes/general-template.php b/wp-includes/general-template.php index 3fef92f2fe..d0499d2c25 100644 --- a/wp-includes/general-template.php +++ b/wp-includes/general-template.php @@ -208,7 +208,7 @@ function wp_title($sep = '»', $display = true) { } if ( !empty($author_name) ) { // We do a direct query here because we don't cache by nicename. - $title = $wpdb->get_var("SELECT display_name FROM $wpdb->users WHERE user_nicename = '$author_name'"); + $title = $wpdb->get_var($wpdb->prepare("SELECT display_name FROM $wpdb->users WHERE user_nicename = %s", $author_name)); } // If there's a month @@ -255,7 +255,7 @@ function single_post_title($prefix = '', $display = true) { if ( intval($p) || '' != $name ) { if ( !$p ) - $p = $wpdb->get_var("SELECT ID FROM $wpdb->posts WHERE post_name = '$name'"); + $p = $wpdb->get_var($wpdb->prepare("SELECT ID FROM $wpdb->posts WHERE post_name = %s", $name)); $post = & get_post($p); $title = $post->post_title; $title = apply_filters('single_post_title', $title); @@ -363,7 +363,7 @@ function wp_get_archives($args = '') { $type = 'monthly'; if ( '' != $limit ) { - $limit = (int) $limit; + $limit = abs(intval($limit)); $limit = ' LIMIT '.$limit; } diff --git a/wp-includes/link-template.php b/wp-includes/link-template.php index 6a0677b7dd..c3b7ed7517 100644 --- a/wp-includes/link-template.php +++ b/wp-includes/link-template.php @@ -367,9 +367,9 @@ function get_previous_post($in_same_cat = false, $excluded_categories = '') { if ( $in_same_cat ) { $join = " INNER JOIN $wpdb->term_relationships AS tr ON p.ID = tr.object_id "; $cat_array = wp_get_object_terms($post->ID, 'category', 'fields=tt_ids'); - $join .= ' AND (tr.term_taxonomy_id = ' . intval($cat_array[0]); + $join .= $wpdb->prepare(' AND (tr.term_taxonomy_id = %d', $cat_array[0]); for ( $i = 1; $i < (count($cat_array)); $i++ ) { - $join .= ' OR tr.term_taxonomy_id = ' . intval($cat_array[$i]); + $join .= $wpdb->prepare(' OR tr.term_taxonomy_id = %d', $cat_array[$i]); } $join .= ')'; } @@ -382,7 +382,7 @@ function get_previous_post($in_same_cat = false, $excluded_categories = '') { } $join = apply_filters( 'get_previous_post_join', $join, $in_same_cat, $excluded_categories ); - $where = apply_filters( 'get_previous_post_where', "WHERE p.post_date < '$current_post_date' AND p.post_type = 'post' AND p.post_status = 'publish' $posts_in_ex_cats_sql", $in_same_cat, $excluded_categories ); + $where = apply_filters( 'get_previous_post_where', $wpdb->prepare("WHERE p.post_date < %s AND p.post_type = 'post' AND p.post_status = 'publish' $posts_in_ex_cats_sql", $current_post_date), $in_same_cat, $excluded_categories ); $sort = apply_filters( 'get_previous_post_sort', 'ORDER BY p.post_date DESC LIMIT 1' ); return @$wpdb->get_row("SELECT p.ID, p.post_title FROM $wpdb->posts AS p $join $where $sort"); @@ -400,9 +400,9 @@ function get_next_post($in_same_cat = false, $excluded_categories = '') { if ( $in_same_cat ) { $join = " INNER JOIN $wpdb->term_relationships AS tr ON p.ID = tr.object_id "; $cat_array = wp_get_object_terms($post->ID, 'category', 'fields=tt_ids'); - $join .= ' AND (tr.term_taxonomy_id = ' . intval($cat_array[0]); + $join .= $wpdb->prepare(' AND (tr.term_taxonomy_id = %d', $cat_array[0]); for ( $i = 1; $i < (count($cat_array)); $i++ ) { - $join .= ' OR tr.term_taxonomy_id = ' . intval($cat_array[$i]); + $join .= $wpdb->prepare(' OR tr.term_taxonomy_id = $d', $cat_array[$i]); } $join .= ')'; } @@ -415,7 +415,7 @@ function get_next_post($in_same_cat = false, $excluded_categories = '') { } $join = apply_filters( 'get_next_post_join', $join, $in_same_cat, $excluded_categories ); - $where = apply_filters( 'get_next_post_where', "WHERE p.post_date > '$current_post_date' AND p.post_type = 'post' AND p.post_status = 'publish' $posts_in_ex_cats_sql AND p.ID != $post->ID", $in_same_cat, $excluded_categories ); + $where = apply_filters( 'get_next_post_where', $wpdb->prepare("WHERE p.post_date > %s AND p.post_type = 'post' AND p.post_status = 'publish' $posts_in_ex_cats_sql AND p.ID != %d", $current_post_date, $post->ID), $in_same_cat, $excluded_categories ); $sort = apply_filters( 'get_next_post_sort', 'ORDER BY p.post_date ASC LIMIT 1' ); return @$wpdb->get_row("SELECT p.ID, p.post_title FROM $wpdb->posts AS p $join $where $sort"); diff --git a/wp-includes/pluggable.php b/wp-includes/pluggable.php index 530fe7d481..391429bc17 100644 --- a/wp-includes/pluggable.php +++ b/wp-includes/pluggable.php @@ -60,7 +60,7 @@ endif; if ( !function_exists('get_userdata') ) : function get_userdata( $user_id ) { global $wpdb; - $user_id = (int) $user_id; + $user_id = abs(intval($user_id)); if ( $user_id == 0 ) return false; @@ -69,11 +69,11 @@ function get_userdata( $user_id ) { if ( $user ) return $user; - if ( !$user = $wpdb->get_row("SELECT * FROM $wpdb->users WHERE ID = '$user_id' LIMIT 1") ) + if ( !$user = $wpdb->get_row($wpdb->prepare("SELECT * FROM $wpdb->users WHERE ID = %d LIMIT 1", $user_id)) ) return false; $wpdb->hide_errors(); - $metavalues = $wpdb->get_results("SELECT meta_key, meta_value FROM $wpdb->usermeta WHERE user_id = '$user_id'"); + $metavalues = $wpdb->get_results($wpdb->prepare("SELECT meta_key, meta_value FROM $wpdb->usermeta WHERE user_id = %d", $user_id)); $wpdb->show_errors(); if ($metavalues) { @@ -121,9 +121,7 @@ function get_userdatabylogin($user_login) { if ( $userdata ) return $userdata; - $user_login = $wpdb->escape($user_login); - - if ( !$user_ID = $wpdb->get_var("SELECT ID FROM $wpdb->users WHERE user_login = '$user_login'") ) + if ( !$user_ID = $wpdb->get_var($wpdb->prepare("SELECT ID FROM $wpdb->users WHERE user_login = %s", $user_login)) ) return false; $user = get_userdata($user_ID); @@ -579,8 +577,8 @@ function wp_notify_moderator($comment_id) { if( get_option( "moderation_notify" ) == 0 ) return true; - $comment = $wpdb->get_row("SELECT * FROM $wpdb->comments WHERE comment_ID='$comment_id' LIMIT 1"); - $post = $wpdb->get_row("SELECT * FROM $wpdb->posts WHERE ID='$comment->comment_post_ID' LIMIT 1"); + $comment = $wpdb->get_row($wpdb->prepare("SELECT * FROM $wpdb->comments WHERE comment_ID=%d LIMIT 1", $comment_id)); + $post = $wpdb->get_row($wpdb->prepare("SELECT * FROM $wpdb->posts WHERE ID=%d LIMIT 1", $comment->comment_post_ID)); $comment_author_domain = @gethostbyaddr($comment->comment_author_IP); $comments_waiting = $wpdb->get_var("SELECT count(comment_ID) FROM $wpdb->comments WHERE comment_approved = '0'"); diff --git a/wp-includes/post.php b/wp-includes/post.php index 89e2175ba2..d928686f1e 100644 --- a/wp-includes/post.php +++ b/wp-includes/post.php @@ -113,8 +113,7 @@ function &get_post(&$post, $output = OBJECT, $filter = 'raw') { elseif ( $_post = wp_cache_get($post, 'pages') ) return get_page($_post, $output); else { - $query = "SELECT * FROM $wpdb->posts WHERE ID = '$post' LIMIT 1"; - $_post = & $wpdb->get_row($query); + $_post = & $wpdb->get_row($wpdb->prepare("SELECT * FROM $wpdb->posts WHERE ID = %d LIMIT 1", $post)); if ( 'page' == $_post->post_type ) return get_page($_post, $output); $post_cache[$blog_id][$post] = & $_post; @@ -223,9 +222,9 @@ function get_posts($args) { if ( count($incposts) ) { foreach ( $incposts as $incpost ) { if (empty($inclusions)) - $inclusions = ' AND ( ID = ' . intval($incpost) . ' '; + $inclusions = $wpdb->prepare(' AND ( ID = %d ', $incpost); else - $inclusions .= ' OR ID = ' . intval($incpost) . ' '; + $inclusions .= $wpdb->prepare(' OR ID = %d ', $incpost); } } } @@ -238,9 +237,9 @@ function get_posts($args) { if ( count($exposts) ) { foreach ( $exposts as $expost ) { if (empty($exclusions)) - $exclusions = ' AND ( ID <> ' . intval($expost) . ' '; + $exclusions = $wpdb->prepare(' AND ( ID <> %d ', $expost); else - $exclusions .= ' AND ID <> ' . intval($expost) . ' '; + $exclusions .= $wpdb->prepare(' AND ID <> %d ', $expost); } } } @@ -251,15 +250,16 @@ function get_posts($args) { $query .= empty( $category ) ? '' : ", $wpdb->term_relationships, $wpdb->term_taxonomy "; $query .= empty( $meta_key ) ? '' : ", $wpdb->postmeta "; $query .= " WHERE 1=1 "; - $query .= empty( $post_type ) ? '' : "AND post_type = '$post_type' "; - $query .= empty( $post_status ) ? '' : "AND post_status = '$post_status' "; + $query .= empty( $post_type ) ? '' : $wpdb->prepare("AND post_type = %s ", $post_type); + $query .= empty( $post_status ) ? '' : $wpdb->prepare("AND post_status = %s ", $post_status); $query .= "$exclusions $inclusions " ; - $query .= empty( $category ) ? '' : "AND ($wpdb->posts.ID = $wpdb->term_relationships.object_id AND $wpdb->term_relationships.term_taxonomy_id = $wpdb->term_taxonomy.term_taxonomy_id AND $wpdb->term_taxonomy.term_id = " . $category. ") "; - $query .= empty( $post_parent ) ? '' : "AND $wpdb->posts.post_parent = '$post_parent' "; + $query .= empty( $category ) ? '' : $wpdb->prepare("AND ($wpdb->posts.ID = $wpdb->term_relationships.object_id AND $wpdb->term_relationships.term_taxonomy_id = $wpdb->term_taxonomy.term_taxonomy_id AND $wpdb->term_taxonomy.term_id = %d) ", $category); + $query .= empty( $post_parent ) ? '' : $wpdb->prepare("AND $wpdb->posts.post_parent = %d ", $post_parent); + // expected_slashed ($meta_key, $meta_value) -- Also, this looks really funky, doesn't seem like it works $query .= empty( $meta_key ) | empty($meta_value) ? '' : " AND ($wpdb->posts.ID = $wpdb->postmeta.post_id AND $wpdb->postmeta.meta_key = '$meta_key' AND $wpdb->postmeta.meta_value = '$meta_value' )"; $query .= " GROUP BY $wpdb->posts.ID ORDER BY " . $orderby . ' ' . $order; if ( 0 < $numberposts ) - $query .= " LIMIT " . $offset . ',' . $numberposts; + $query .= $wpdb->prepare(" LIMIT %d,%d", $offset, $numberposts); $posts = $wpdb->get_results($query); @@ -275,10 +275,9 @@ function get_posts($args) { function add_post_meta($post_id, $key, $value, $unique = false) { global $wpdb, $post_meta_cache, $blog_id; - $post_id = (int) $post_id; - if ( $unique ) { - if ( $wpdb->get_var("SELECT meta_key FROM $wpdb->postmeta WHERE meta_key = '$key' AND post_id = '$post_id'") ) { + // expected_slashed ($key) + if ( $wpdb->get_var($wpdb->prepare("SELECT meta_key FROM $wpdb->postmeta WHERE meta_key = '$key' AND post_id = %d", $post_id)) ) { return false; } } @@ -286,9 +285,9 @@ function add_post_meta($post_id, $key, $value, $unique = false) { $post_meta_cache[$blog_id][$post_id][$key][] = $value; $value = maybe_serialize($value); - $value = $wpdb->escape($value); - $wpdb->query("INSERT INTO $wpdb->postmeta (post_id,meta_key,meta_value) VALUES ('$post_id','$key','$value')"); + // expected_slashed ($key) + $wpdb->query($wpdb->prepare("INSERT INTO $wpdb->postmeta (post_id,meta_key,meta_value) VALUES (%d,'$key',%s)", $post_id, $value)); return true; } @@ -296,22 +295,24 @@ function add_post_meta($post_id, $key, $value, $unique = false) { function delete_post_meta($post_id, $key, $value = '') { global $wpdb, $post_meta_cache, $blog_id; - $post_id = (int) $post_id; - if ( empty($value) ) { - $meta_id = $wpdb->get_var("SELECT meta_id FROM $wpdb->postmeta WHERE post_id = '$post_id' AND meta_key = '$key'"); + // expected_slashed ($key) + $meta_id = $wpdb->get_var($wpdb->prepare("SELECT meta_id FROM $wpdb->postmeta WHERE post_id = %d AND meta_key = '$key'", $post_id)); } else { - $meta_id = $wpdb->get_var("SELECT meta_id FROM $wpdb->postmeta WHERE post_id = '$post_id' AND meta_key = '$key' AND meta_value = '$value'"); + // expected_slashed ($key, $value) + $meta_id = $wpdb->get_var($wpdb->prepare("SELECT meta_id FROM $wpdb->postmeta WHERE post_id = %d AND meta_key = '$key' AND meta_value = '$value'", $post_id)); } if ( !$meta_id ) return false; if ( empty($value) ) { - $wpdb->query("DELETE FROM $wpdb->postmeta WHERE post_id = '$post_id' AND meta_key = '$key'"); + // expected_slashed ($key) + $wpdb->query($wpdb->prepare("DELETE FROM $wpdb->postmeta WHERE post_id = %d AND meta_key = '$key'", $post_id)); unset($post_meta_cache[$blog_id][$post_id][$key]); } else { - $wpdb->query("DELETE FROM $wpdb->postmeta WHERE post_id = '$post_id' AND meta_key = '$key' AND meta_value = '$value'"); + // expected_slashed ($key, $value) + $wpdb->query($wpdb->prepare("DELETE FROM $wpdb->postmeta WHERE post_id = %d AND meta_key = '$key' AND meta_value = '$value'", $post_id)); $cache_key = $post_meta_cache[$blog_id][$post_id][$key]; if ($cache_key) foreach ( $cache_key as $index => $data ) if ( $data == $value ) @@ -352,28 +353,27 @@ function get_post_meta($post_id, $key, $single = false) { function update_post_meta($post_id, $key, $value, $prev_value = '') { global $wpdb, $post_meta_cache, $blog_id; - $post_id = (int) $post_id; - $original_value = $value; $value = maybe_serialize($value); - $value = $wpdb->escape($value); $original_prev = $prev_value; $prev_value = maybe_serialize($prev_value); - $prev_value = $wpdb->escape($prev_value); - if (! $wpdb->get_var("SELECT meta_key FROM $wpdb->postmeta WHERE meta_key = '$key' AND post_id = '$post_id'") ) { + // expected_slashed ($key) + if (! $wpdb->get_var($wpdb->prepare("SELECT meta_key FROM $wpdb->postmeta WHERE meta_key = '$key' AND post_id = %d", $post_id)) ) { return false; } if ( empty($prev_value) ) { - $wpdb->query("UPDATE $wpdb->postmeta SET meta_value = '$value' WHERE meta_key = '$key' AND post_id = '$post_id'"); + // expected_slashed ($key) + $wpdb->query($wpdb->prepare("UPDATE $wpdb->postmeta SET meta_value = %s WHERE meta_key = '$key' AND post_id = %d", $value, $post_id)); $cache_key = $post_meta_cache[$blog_id][$post_id][$key]; if ( !empty($cache_key) ) foreach ($cache_key as $index => $data) $post_meta_cache[$blog_id][$post_id][$key][$index] = $original_value; } else { - $wpdb->query("UPDATE $wpdb->postmeta SET meta_value = '$value' WHERE meta_key = '$key' AND post_id = '$post_id' AND meta_value = '$prev_value'"); + // expected_slashed ($key) + $wpdb->query($wpdb->prepare("UPDATE $wpdb->postmeta SET meta_value = %s WHERE meta_key = '$key' AND post_id = %d AND meta_value = %s", $value, $post_id, $prev_value)); $cache_key = $post_meta_cache[$blog_id][$post_id][$key]; if ( !empty($cache_key) ) foreach ($cache_key as $index => $data) @@ -387,8 +387,7 @@ function update_post_meta($post_id, $key, $value, $prev_value = '') { function delete_post_meta_by_key($post_meta_key) { global $wpdb, $post_meta_cache, $blog_id; - $post_meta_key = $wpdb->escape($post_meta_key); - if ( $wpdb->query("DELETE FROM $wpdb->postmeta WHERE meta_key = '$post_meta_key'") ) { + if ( $wpdb->query($wpdb->prepare("DELETE FROM $wpdb->postmeta WHERE meta_key = %s", $post_meta_key)) ) { unset($post_meta_cache[$blog_id]); // not worth doing the work to iterate through the cache return true; } @@ -504,9 +503,8 @@ function sanitize_post_field($field, $value, $post_id, $context) { function wp_delete_post($postid = 0) { global $wpdb, $wp_rewrite; - $postid = (int) $postid; - if ( !$post = $wpdb->get_row("SELECT * FROM $wpdb->posts WHERE ID = $postid") ) + if ( !$post = $wpdb->get_row($wpdb->prepare("SELECT * FROM $wpdb->posts WHERE ID = %d", $postid)) ) return $post; if ( 'attachment' == $post->post_type ) @@ -518,15 +516,15 @@ function wp_delete_post($postid = 0) { wp_delete_object_term_relationships($postid, array('category', 'post_tag')); if ( 'page' == $post->post_type ) - $wpdb->query("UPDATE $wpdb->posts SET post_parent = $post->post_parent WHERE post_parent = $postid AND post_type = 'page'"); + $wpdb->query( $wpdb->prepare("UPDATE $wpdb->posts SET post_parent = $post->post_parent WHERE post_parent = %d AND post_type = 'page'", $postid )); - $wpdb->query("UPDATE $wpdb->posts SET post_parent = $post->post_parent WHERE post_parent = $postid AND post_type = 'attachment'"); + $wpdb->query( $wpdb->prepare( "UPDATE $wpdb->posts SET post_parent = %s WHERE post_parent = %d AND post_type = 'attachment'", $post->post_parent, $postid )); - $wpdb->query("DELETE FROM $wpdb->posts WHERE ID = $postid"); + $wpdb->query( $wpdb->prepare( "DELETE FROM $wpdb->posts WHERE ID = %d", $postid )); - $wpdb->query("DELETE FROM $wpdb->comments WHERE comment_post_ID = $postid"); + $wpdb->query( $wpdb->prepare( "DELETE FROM $wpdb->comments WHERE comment_post_ID = %d", $postid )); - $wpdb->query("DELETE FROM $wpdb->postmeta WHERE post_id = $postid"); + $wpdb->query( $wpdb->prepare( "DELETE FROM $wpdb->postmeta WHERE post_id = %d", $postid )); if ( 'page' == $post->post_type ) { clean_page_cache($postid); @@ -694,13 +692,15 @@ function wp_insert_post($postarr = array()) { $post_password = ''; if ( 'draft' != $post_status ) { - $post_name_check = $wpdb->get_var("SELECT post_name FROM $wpdb->posts WHERE post_name = '$post_name' AND post_type = '$post_type' AND ID != '$post_ID' AND post_parent = '$post_parent' LIMIT 1"); + // expected_slashed ($post_name, $post_type) + $post_name_check = $wpdb->get_var($wpdb->prepare("SELECT post_name FROM $wpdb->posts WHERE post_name = '$post_name' AND post_type = '$post_type' AND ID != %d AND post_parent = %d LIMIT 1", $post_ID, $post_parent)); if ($post_name_check || in_array($post_name, $wp_rewrite->feeds) ) { $suffix = 2; do { $alt_post_name = substr($post_name, 0, 200-(strlen($suffix)+1)). "-$suffix"; - $post_name_check = $wpdb->get_var("SELECT post_name FROM $wpdb->posts WHERE post_name = '$alt_post_name' AND post_type = '$post_type' AND ID != '$post_ID' AND post_parent = '$post_parent' LIMIT 1"); + // expected_slashed ($alt_post_name, $post_name, $post_type) + $post_name_check = $wpdb->get_var($wpdb->prepare("SELECT post_name FROM $wpdb->posts WHERE post_name = '$alt_post_name' AND post_type = '$post_type' AND ID != %d AND post_parent = %d LIMIT 1", $post_ID, $post_parent)); $suffix++; } while ($post_name_check); $post_name = $alt_post_name; @@ -708,7 +708,9 @@ function wp_insert_post($postarr = array()) { } if ($update) { + // expected_slashed (everything!) $wpdb->query( + $wpdb->prepare( "UPDATE IGNORE $wpdb->posts SET post_author = '$post_author', post_date = '$post_date', @@ -727,21 +729,25 @@ function wp_insert_post($postarr = array()) { pinged = '$pinged', post_modified = '".current_time('mysql')."', post_modified_gmt = '".current_time('mysql',1)."', - post_parent = '$post_parent', + post_parent = %d, menu_order = '$menu_order' - WHERE ID = $post_ID"); + WHERE ID = %d" + , $post_parent, $post_ID )); } else { + // expected_slashed (everything!) $wpdb->query( + $wpdb->prepare( "INSERT IGNORE INTO $wpdb->posts (post_author, post_date, post_date_gmt, post_content, post_content_filtered, post_title, post_excerpt, post_status, post_type, comment_status, ping_status, post_password, post_name, to_ping, pinged, post_modified, post_modified_gmt, post_parent, menu_order, post_mime_type) VALUES - ('$post_author', '$post_date', '$post_date_gmt', '$post_content', '$post_content_filtered', '$post_title', '$post_excerpt', '$post_status', '$post_type', '$comment_status', '$ping_status', '$post_password', '$post_name', '$to_ping', '$pinged', '$post_date', '$post_date_gmt', '$post_parent', '$menu_order', '$post_mime_type')"); + ('$post_author', '$post_date', '$post_date_gmt', '$post_content', '$post_content_filtered', '$post_title', '$post_excerpt', '$post_status', '$post_type', '$comment_status', '$ping_status', '$post_password', '$post_name', '$to_ping', '$pinged', '$post_date', '$post_date_gmt', %d, '$menu_order', '$post_mime_type')", $post_parent)); $post_ID = (int) $wpdb->insert_id; } if ( empty($post_name) && 'draft' != $post_status ) { $post_name = sanitize_title($post_title, $post_ID); - $wpdb->query( "UPDATE $wpdb->posts SET post_name = '$post_name' WHERE ID = '$post_ID'" ); + // expected_slashed ($post_name) + $wpdb->query($wpdb->prepare("UPDATE $wpdb->posts SET post_name = '$post_name' WHERE ID = %d", $post_ID)); } wp_set_post_categories( $post_ID, $post_category ); @@ -755,7 +761,7 @@ function wp_insert_post($postarr = array()) { // Set GUID if ( ! $update ) - $wpdb->query("UPDATE $wpdb->posts SET guid = '" . get_permalink($post_ID) . "' WHERE ID = '$post_ID'"); + $wpdb->query( $wpdb->prepare( "UPDATE $wpdb->posts SET guid = %s WHERE ID = %d", get_permalink($post_ID), $post_ID )); $post = get_post($post_ID); if ( !empty($page_template) ) @@ -823,7 +829,7 @@ function wp_publish_post($post_id) { if ( 'publish' == $post->post_status ) return; - $wpdb->query( "UPDATE $wpdb->posts SET post_status = 'publish' WHERE ID = '$post_id'" ); + $wpdb->query( $wpdb->prepare( "UPDATE $wpdb->posts SET post_status = 'publish' WHERE ID = %d", $post_id )); $old_status = $post->post_status; $post->post_status = 'publish'; @@ -883,13 +889,14 @@ function wp_transition_post_status($new_status, $old_status, $post) { function add_ping($post_id, $uri) { // Add a URL to those already pung global $wpdb; - $pung = $wpdb->get_var("SELECT pinged FROM $wpdb->posts WHERE ID = $post_id"); + $pung = $wpdb->get_var( $wpdb->prepare( "SELECT pinged FROM $wpdb->posts WHERE ID = %d", $post_id )); $pung = trim($pung); $pung = preg_split('/\s/', $pung); $pung[] = $uri; $new = implode("\n", $pung); $new = apply_filters('add_ping', $new); - return $wpdb->query("UPDATE $wpdb->posts SET pinged = '$new' WHERE ID = $post_id"); + // expected_slashed ($new) + return $wpdb->query( $wpdb->prepare( "UPDATE $wpdb->posts SET pinged = '$new' WHERE ID = %d", $post_id )); } function get_enclosed($post_id) { // Get enclosures already enclosed for a post @@ -913,7 +920,7 @@ function get_enclosed($post_id) { // Get enclosures already enclosed for a post function get_pung($post_id) { // Get URLs already pung for a post global $wpdb; - $pung = $wpdb->get_var("SELECT pinged FROM $wpdb->posts WHERE ID = $post_id"); + $pung = $wpdb->get_var( $wpdb->prepare( "SELECT pinged FROM $wpdb->posts WHERE ID = %d", $post_id )); $pung = trim($pung); $pung = preg_split('/\s/', $pung); $pung = apply_filters('get_pung', $pung); @@ -922,7 +929,7 @@ function get_pung($post_id) { // Get URLs already pung for a post function get_to_ping($post_id) { // Get any URLs in the todo list global $wpdb; - $to_ping = $wpdb->get_var("SELECT to_ping FROM $wpdb->posts WHERE ID = $post_id"); + $to_ping = $wpdb->get_var( $wpdb->prepare( "SELECT to_ping FROM $wpdb->posts WHERE ID = %d", $post_id )); $to_ping = trim($to_ping); $to_ping = preg_split('/\s/', $to_ping, -1, PREG_SPLIT_NO_EMPTY); $to_ping = apply_filters('get_to_ping', $to_ping); @@ -1001,7 +1008,7 @@ function &get_page(&$page, $output = OBJECT) { return get_post($page, $output); } else { // it's not in any caches, so off to the DB we go // Why are we using assignment for this query? - $_page = & $wpdb->get_row("SELECT * FROM $wpdb->posts WHERE ID= '$page' LIMIT 1"); + $_page = & $wpdb->get_row( $wpdb->prepare( "SELECT * FROM $wpdb->posts WHERE ID= %d LIMIT 1", $page )); if ( 'post' == $_page->post_type ) return get_post($_page, $output); // Potential issue: we're not checking to see if the post_type = 'page' @@ -1035,7 +1042,7 @@ function get_page_by_path($page_path, $output = OBJECT) { foreach($page_paths as $pathdir) $full_path .= ($pathdir!=''?'/':'') . sanitize_title($pathdir); - $pages = $wpdb->get_results("SELECT ID, post_name, post_parent FROM $wpdb->posts WHERE post_name = '$leaf_path' AND post_type='page'"); + $pages = $wpdb->get_results( $wpdb->prepare( "SELECT ID, post_name, post_parent FROM $wpdb->posts WHERE post_name = %s AND post_type='page'", $leaf_path )); if ( empty($pages) ) return NULL; @@ -1044,7 +1051,7 @@ function get_page_by_path($page_path, $output = OBJECT) { $path = '/' . $leaf_path; $curpage = $page; while ($curpage->post_parent != 0) { - $curpage = $wpdb->get_row("SELECT ID, post_name, post_parent FROM $wpdb->posts WHERE ID = '$curpage->post_parent' and post_type='page'"); + $curpage = $wpdb->get_row( $wpdb->prepare( "SELECT ID, post_name, post_parent FROM $wpdb->posts WHERE ID = %d and post_type='page'", $curpage->post_parent )); $path = '/' . $curpage->post_name . $path; } @@ -1057,8 +1064,7 @@ function get_page_by_path($page_path, $output = OBJECT) { function get_page_by_title($page_title, $output = OBJECT) { global $wpdb; - $page_title = $wpdb->escape($page_title); - $page = $wpdb->get_var("SELECT ID FROM $wpdb->posts WHERE post_title = '$page_title' AND post_type='page'"); + $page = $wpdb->get_var( $wpdb->prepare( "SELECT ID FROM $wpdb->posts WHERE post_title = %s AND post_type='page'", $page_title )); if ( $page ) return get_page($page, $output); @@ -1141,9 +1147,9 @@ function &get_pages($args = '') { if ( count($incpages) ) { foreach ( $incpages as $incpage ) { if (empty($inclusions)) - $inclusions = ' AND ( ID = ' . intval($incpage) . ' '; + $inclusions = $wpdb->prepare(' AND ( ID = %d ', $incpage); else - $inclusions .= ' OR ID = ' . intval($incpage) . ' '; + $inclusions .= $wpdb->prepare(' OR ID = %d ', $incpage); } } } @@ -1156,9 +1162,9 @@ function &get_pages($args = '') { if ( count($expages) ) { foreach ( $expages as $expage ) { if (empty($exclusions)) - $exclusions = ' AND ( ID <> ' . intval($expage) . ' '; + $exclusions = $wpdb->prepare(' AND ( ID <> %d ', $expage); else - $exclusions .= ' AND ID <> ' . intval($expage) . ' '; + $exclusions .= $wpdb->prepare(' AND ID <> %d ', $expage); } } } @@ -1182,9 +1188,9 @@ function &get_pages($args = '') { } if ( '' == $author_query ) - $author_query = ' post_author = ' . intval($post_author) . ' '; + $author_query = $wpdb->prepare(' post_author = %d ', $post_author); else - $author_query .= ' OR post_author = ' . intval($post_author) . ' '; + $author_query .= $wpdb->prepare(' OR post_author = %d ', $post_author); } if ( '' != $author_query ) $author_query = " AND ($author_query)"; @@ -1194,6 +1200,7 @@ function &get_pages($args = '') { $query = "SELECT * FROM $wpdb->posts " ; $query .= ( empty( $meta_key ) ? "" : ", $wpdb->postmeta " ) ; $query .= " WHERE (post_type = 'page' AND post_status = 'publish') $exclusions $inclusions " ; + // expected_slashed ($meta_key, $meta_value) -- also, it looks funky $query .= ( empty( $meta_key ) | empty($meta_value) ? "" : " AND ($wpdb->posts.ID = $wpdb->postmeta.post_id AND $wpdb->postmeta.meta_key = '$meta_key' AND $wpdb->postmeta.meta_value = '$meta_value' )" ) ; $query .= $author_query; $query .= " ORDER BY " . $sort_column . " " . $sort_order ; @@ -1234,7 +1241,7 @@ function generate_page_uri_index() { // URL => page name $uri = get_page_uri($id); - $attachments = $wpdb->get_results("SELECT ID, post_name, post_parent FROM $wpdb->posts WHERE post_type = 'attachment' AND post_parent = '$id'"); + $attachments = $wpdb->get_results( $wpdb->prepare( "SELECT ID, post_name, post_parent FROM $wpdb->posts WHERE post_type = 'attachment' AND post_parent = %d", $id )); if ( $attachments ) { foreach ( $attachments as $attachment ) { $attach_uri = get_page_uri($attachment->ID); @@ -1312,14 +1319,16 @@ function wp_insert_attachment($object, $file = false, $parent = 0) { else $post_name = sanitize_title($post_name); + // expected_slashed ($post_name) $post_name_check = - $wpdb->get_var("SELECT post_name FROM $wpdb->posts WHERE post_name = '$post_name' AND post_status = 'inherit' AND ID != '$post_ID' LIMIT 1"); + $wpdb->get_var( $wpdb->prepare( "SELECT post_name FROM $wpdb->posts WHERE post_name = '$post_name' AND post_status = 'inherit' AND ID != %d LIMIT 1", $post_ID)); if ($post_name_check) { $suffix = 2; while ($post_name_check) { $alt_post_name = $post_name . "-$suffix"; - $post_name_check = $wpdb->get_var("SELECT post_name FROM $wpdb->posts WHERE post_name = '$alt_post_name' AND post_status = 'inherit' AND ID != '$post_ID' AND post_parent = '$post_parent' LIMIT 1"); + // expected_slashed ($alt_post_name, $post_name) + $post_name_check = $wpdb->get_var( $wpdb->prepare( "SELECT post_name FROM $wpdb->posts WHERE post_name = '$alt_post_name' AND post_status = 'inherit' AND ID != %d AND post_parent = %d LIMIT 1", $post_ID, $post_parent)); $suffix++; } $post_name = $alt_post_name; @@ -1361,7 +1370,9 @@ function wp_insert_attachment($object, $file = false, $parent = 0) { $pinged = ''; if ($update) { + // expected_slashed (everything!) $wpdb->query( + $wpdb->prepare( "UPDATE $wpdb->posts SET post_author = '$post_author', post_date = '$post_date', @@ -1380,23 +1391,26 @@ function wp_insert_attachment($object, $file = false, $parent = 0) { pinged = '$pinged', post_modified = '".current_time('mysql')."', post_modified_gmt = '".current_time('mysql',1)."', - post_parent = '$post_parent', + post_parent = %d, menu_order = '$menu_order', post_mime_type = '$post_mime_type', guid = '$guid' - WHERE ID = $post_ID"); + WHERE ID = %d", $post_parent, $post_ID)); } else { + // expected_slashed (everything!) $wpdb->query( + $wpdb->prepare( "INSERT INTO $wpdb->posts (post_author, post_date, post_date_gmt, post_content, post_content_filtered, post_title, post_excerpt, post_status, post_type, comment_status, ping_status, post_password, post_name, to_ping, pinged, post_modified, post_modified_gmt, post_parent, menu_order, post_mime_type, guid) VALUES - ('$post_author', '$post_date', '$post_date_gmt', '$post_content', '$post_content_filtered', '$post_title', '$post_excerpt', '$post_status', '$post_type', '$comment_status', '$ping_status', '$post_password', '$post_name', '$to_ping', '$pinged', '$post_date', '$post_date_gmt', '$post_parent', '$menu_order', '$post_mime_type', '$guid')"); + ('$post_author', '$post_date', '$post_date_gmt', '$post_content', '$post_content_filtered', '$post_title', '$post_excerpt', '$post_status', '$post_type', '$comment_status', '$ping_status', '$post_password', '$post_name', '$to_ping', '$pinged', '$post_date', '$post_date_gmt', %d, '$menu_order', '$post_mime_type', '$guid')", $post_parent )); $post_ID = (int) $wpdb->insert_id; } if ( empty($post_name) ) { $post_name = sanitize_title($post_title, $post_ID); - $wpdb->query( "UPDATE $wpdb->posts SET post_name = '$post_name' WHERE ID = '$post_ID'" ); + // expected_slashed ($post_name) + $wpdb->query( $wpdb->prepare( "UPDATE $wpdb->posts SET post_name = '$post_name' WHERE ID = %d", $post_ID)); } wp_set_post_categories($post_ID, $post_category); @@ -1417,9 +1431,8 @@ function wp_insert_attachment($object, $file = false, $parent = 0) { function wp_delete_attachment($postid) { global $wpdb; - $postid = (int) $postid; - if ( !$post = $wpdb->get_row("SELECT * FROM $wpdb->posts WHERE ID = '$postid'") ) + if ( !$post = $wpdb->get_row( $wpdb->prepare( "SELECT * FROM $wpdb->posts WHERE ID = %d", $postid)) ) return $post; if ( 'attachment' != $post->post_type ) @@ -1431,15 +1444,15 @@ function wp_delete_attachment($postid) { // TODO delete for pluggable post taxonomies too wp_delete_object_term_relationships($postid, array('category', 'post_tag')); - $wpdb->query("DELETE FROM $wpdb->posts WHERE ID = '$postid'"); + $wpdb->query( $wpdb->prepare( "DELETE FROM $wpdb->posts WHERE ID = %d", $postid )); - $wpdb->query("DELETE FROM $wpdb->comments WHERE comment_post_ID = '$postid'"); + $wpdb->query( $wpdb->prepare( "DELETE FROM $wpdb->comments WHERE comment_post_ID = %d", $postid )); - $wpdb->query("DELETE FROM $wpdb->postmeta WHERE post_id = '$postid'"); + $wpdb->query( $wpdb->prepare( "DELETE FROM $wpdb->postmeta WHERE post_id = %d ", $postid )); if ( ! empty($meta['thumb']) ) { // Don't delete the thumb if another attachment uses it - if (! $wpdb->get_row("SELECT meta_id FROM $wpdb->postmeta WHERE meta_key = '_wp_attachment_metadata' AND meta_value LIKE '%".$wpdb->escape($meta['thumb'])."%' AND post_id <> $postid")) { + if (! $wpdb->get_row( $wpdb->prepare( "SELECT meta_id FROM $wpdb->postmeta WHERE meta_key = '_wp_attachment_metadata' AND meta_value LIKE %s AND post_id <> %d", '%'.$meta['thumb'].'%', $postid)) ) { $thumbfile = str_replace(basename($file), $meta['thumb'], $file); $thumbfile = apply_filters('wp_delete_file', $thumbfile); @ unlink($thumbfile); @@ -1831,7 +1844,7 @@ function _transition_post_status($new_status, $old_status, $post) { if ( $old_status != 'publish' && $new_status == 'publish' ) { // Reset GUID if transitioning to publish. - $wpdb->query("UPDATE $wpdb->posts SET guid = '" . get_permalink($post->ID) . "' WHERE ID = '$post->ID'"); + $wpdb->query( $wpdb->prepare( "UPDATE $wpdb->posts SET guid = %s WHERE ID = %d", get_permalink($post->ID), $post->ID )); do_action('private_to_published', $post->ID); // Deprecated, use private_to_publish } @@ -1859,16 +1872,16 @@ function _publish_post_hook($post_id) { $post = get_post($post_id); if ( get_option('default_pingback_flag') ) - $result = $wpdb->query(" + $result = $wpdb->query( $wpdb->prepare( " INSERT INTO $wpdb->postmeta (post_id,meta_key,meta_value) - VALUES ('$post_id','_pingme','1') - "); - $result = $wpdb->query(" + VALUES (%s,'_pingme','1') + ", $post_id )); + $result = $wpdb->query( $wpdb->prepare( " INSERT INTO $wpdb->postmeta (post_id,meta_key,meta_value) - VALUES ('$post_id','_encloseme','1') - "); + VALUES (%s,'_encloseme','1') + ", $post_id )); wp_schedule_single_event(time(), 'do_pings'); }